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BACKGROUND OF THE INVENTION 

1 . Field of the Invention 

The present invention relates generally to network 
5 communications, such as communications in wireless ad-hoc 

networks. More particularly, the present invention relates to a 
method, system and apparatus for increasing network security and 
reliability by excising a compromised router from an ad-hoc 
network. 

m 2 . Background and Related Art 

is Wireless ad-hoc networks preferably do not rely on immobile base 

2f stations or other fixed infrastructure. Accordingly, ad-hoc 

Jrf networks are important in military, emergency, mobile and 

^ temporary environments (e.g., business meetings, campaign 

fife headquarters, and so forth). As will be appreciated by those of 

M* ordinary skill in the art, in some ad-hoc networks, each node is 

Q responsible for routing u packets, " or message signals, for 

"~ other network nodes. An example of this type of network 100 is 

shown in Figure 2a. As illustrated, node X can route packets 
20 between nodes W, Y and Z, for example. Nodes in an ad-hoc 

network preferably employ known routing techniques to accomplish 

their routing requirements. 

For example, as discussed in U.S. Patent No. 6,02 8,857, issued to 
R. Poor on February 22, 2 000, and assigned to the Massachusetts 
25 Institute of Technology, in a " link state" routing approach, 
each network node maintains a routing table that specifies an 
" optimal" path toward each network destination. In the 
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6,028,857 patent, the term " optimal" is used to generally mean 
the shortest path, but may account for other factors such as load 
balancing. As will be appreciated by those skilled in the art, a 
shortest-path calculation can be performed via a shortest-path 
5 first algorithm, for example, Dijkstra's algorithm as explained 
in Chapter 5 of w Routing in Communications Networks," M. 
Steenstrup, ed. , 1995. 

As discussed in the 6,028,857 patent, when a node in a link state 
routing system transmits a message to a destination node, it 
g?p first fetches from a routing table an entry for the specified 
I p| destination. The routing table entry specifies which neighbor of 
2- an originating node should relay the message and the 

identification of that neighbor is installed in a message header 
^ as the recipient. The originating node then transmits the 
QJ5 message. Many of the originating node's nearby neighbors receive 
M> the message, since radio frequency (" RF" ) transmissions are 
D essentially omni-directional . However, of all the neighbors that 
receive the transmission, only the specified recipient acts on 
the message. The recipient relays the message in the same 
2 0 manner, according to an entry in its routing table corresponding 
to the destination node. This process continues until the 
message reaches the ultimate destination. The nodes in the 
6,028,857 patent do not maintain these types of routing tables, 
but rather maintain w cost tables" that indicate the costs of 
25 transmission to other nodes in the network. 

Other forms of ad-hoc wireless networks simplify routing and 

2 



EXPRESS MAIL NO. EK673490350US PATENT 

DOCKET NO. 00-4010 

minimize routing traffic by organizing nodes (e.g., network 
members) into hierarchical groups called clusters, with each 
cluster having a cluster head. A cluster may include a single 
cluster head and zero or more cluster members. A cluster head 
5 serves as a router for affiliated cluster members. Cluster head 
stations communicate with each other to form a network backbone, 
and cluster member stations relay messages to the network through 
affiliated cluster heads. In mobile systems, cluster members 
move into and out of clusters depending on their physical 

10 location and radio connectivity. An example of this type of 

mobile communications network 110 is shown in Figure 2b, in which 
areas la, lb and lc represent individual clusters. In Figure 2b, 
a double-circle indicates a Cluster Head ( w CH" ), whereas a 
single circle indicates a Cluster Member { u CM" ). In the Figure 

;15 2b example, CM2 and CM3 are affiliated with a cluster headed by 

01 CHl, and CM6 and CM7 are affiliated with a cluster headed by CHS. 

01 CH4 is the head of its own cluster. 

Another example of a mobile communications network is disclosed 
in U.S. Patent No. 5,850,592, issued to S. Ramanathan on December 

20 15, 1998, and assigned to the same assignee of this present 
application. The 5,850,592 patent discloses a method for a 
plurality of mobile stations to automatically organize themselves 
into a hierarchical network, in which some of the stations 
operate as message gateways for a cluster of mobile stations. 

25 Initially, mobile stations search for available cluster heads and 
initiate an affiliation procedure to establish themselves as 
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cluster members. If the affiliation procedure is successful, a 
mobile station operates as a cluster member. Otherwise, a mobile 
station promotes itself to operate as a cluster head. 

In the arrangement of the 5,850,592 patent, each station operates 
5 in at least two basic modes. In the first mode, the mobile 
station serves as a message gateway or router for a cluster of 
other member stations. The second mode allows the mobile station 
to operate as a non-gateway (or w cluster member " ) station. 
Each mobile station determines which out of the two modes to 
|K) operate in, as discussed above. The mobile stations disclosed in 

the 5,850,592 patent can operate at two different power levels. 
_5? When there are no other available cluster heads, a mobile station 
bz operates as a cluster head, and transmits at a relatively high 
^ power level. A cluster head transmits at the relatively high 
Gte power level to communicate with other cluster head stations and 
M to typically provide longer distance network links. Although a 
p cluster head communicates at a higher power level with other 
cluster heads, a cluster head can still communicate with its 
cluster members using a relatively lower power level. 

20 As will also be understood by those of ordinary skill in the art, 
there are many other known procedures for routing messages over a 
network, even when a configuration of the network may change. 
Link state routing is only one well-known routing mechanism. 
There are also many procedures for measuring or rating the 

25 connectivity of a network in a particular configuration (e.g., 
metric generation) that are well known in the art. These types 
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of techniques will not be described in further detail, however, 
reference may be had to technical articles including: "Packet 
Radio Routing, " by Gregory S. Lauer in Chapter 11 of "Routing in 
Communication Networks," ed. Martha E . Steenstrup, Prentice-Hall 
5 1995; "Packet Radio Network Routing Algorithms: A Survey," by J. 
Hahn and D. Stolle, IEEE Communications Magazine, Vol. 22, No. 
11, November 1984, pp. 41-47; * The Organization of Computer 
Resources into a Packet Radio Network," by R. E. Kahn, IEEE 
Trans, on Communications, Vol. COM-25, No. 1, January 1977, pp. 
10 169-178; w Analysis of Routing Strategies for Packet Radio 
J= Networks," J. Garcia Luna Aceves and N. Shacham, Proc. of the 
;^ IEEE INFOCOM '85, Washington, D.C., March 1985, 292-302; and "The 
%! DARPA Packet Radio Network Protocols, " by J. Jubin and J. Tornow, 
Q Proc. of the IEEE, Vol. 75, No. 1, January 1987, pp. 21-32. See 
=15 also U.S. Patent Nos. 4,718,002, 5,243,592, 5,850,592, 5,881,246, 
: 31 5,913,921 and 6,028,857 for the general state of the art in 
g] wireless network message routing. 

As will be appreciated by those of ordinary skill in the art, in 
wireless ad-hoc networks, all of the nodes are preferably 

20 equipped with communications transceivers. At least some of 

these nodes are capable of network routing functions ("routers") 
and the other nodes are merely sources or destinations for data 
traffic ( "endpoints " ) . Preferably, all nodes in an ad-hoc 
network execute a set of algorithms, and perform a set of 

25 networking protocols. As will be appreciated by those skilled in 
the art, these algorithms and protocols enable the nodes to find 

5 
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each other, determine paths through the network for data traffic 
from source to destination (s) , and detect and repair ruptures in 
the network as nodes move, as they fail, as battery power 
changes, as communications path characteristics change over time, 
5 and so forth. It will also be appreciated that network nodes can 
send w updates " or other messages that supply network 
information. An update can contain information regarding a 
router's neighbors, potential neighbors, link metric data (e.g., 
a n cost" of transmissions or links) , affiliated nodes, network 
10 conditions, partition information, etc. 

^•f Despite the many advantages that are provided by these types of 
Jjf networks, there are still problems to be solved. For example, 
O all networks suffer from security problems to some extent, but 
yQ ad-hoc networks are more vulnerable in a particular way. That 
Q5 is, an n enemy" may physically obtain possession of one of the 

routers while it is still functioning as part of an ad-hoc 
p network. The enemy may then manipulate the router (e.g., by 

JS5S, 

^" reconfiguring or reprogramming it, or even by clever manipulation 
of its external interfaces) in such a way that the router begins 
20 to damage the operation of the rest of the network. A network 

loses an ability to trust its member routers when an enemy seizes 
one of the routers. As will be appreciated, all routers in a 
network must "trust" each other in order for the network to 
function properly. 

25 These types of problems are not adequately addressed in the art. 
Thus, there is a need to increase the security and reliability of 
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such ad-hoc networks . There is another need to provide a system 
and method to excise one or more routers from a functioning ad- 
hoc network. There is another need to provide a mechanism for 
reinstating an excised router. 

5 SUMMARY OF INVENTION 

The present invention relates generally to excising compromised 
routers from communication networks. 

According to the invention, a communications router for use in a 
P ^ communications network is provided. The network includes a 
K plurality of routers. At least one network control computer 
2f communicates with the communications router. The communications 

router includes a transceiver to transmit and receive messages 
M3 and an electronic memory circuit having network information 
0 stored therein. The communications router also includes an 
f£5 electronic processor circuit which (i) evaluates an excising 
H signal received from the network control computer, the excising 
^ signal contains information regarding a first router of the 

plurality of routers to be excised from the network; (ii) 

determines an authenticity of the excising signal; (iii) excises 
20 the first router when the excising signal is authenticated; and 

(iv) reroutes the excising signal to at least a second router of 

the plurality of routers when the excising signal is 

authenticated . 

One embodiment relates to a method of operating a first router in 
25 a communications system for communications among a plurality of 

7 
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routers in a network. At least one network control computer is 
linked to the first router of the plurality of routers. Each of 
the communications routers includes a transceiver to transmit and 
receive messages. The method includes the steps of: (i) 
evaluating an excising signal received from the network control 
computer, the excising signal containing information regarding a 
second router of the plurality of routers to be excised from the 
network; <ii) determines an authenticity of the excising signal; 
(iii) excising the second router when the excising signal is 
authentic; and (iv) rerouting the excising signal to at least a 
third router of the plurality of routers. 

In another embodiment, a mobile communications station that 
communicates among a plurality of mobile stations in an ad-hoc 
network is provided. The network has stations arranged in 
clusters of communication member stations, with one member 
station in each cluster being a head station for the cluster. 
Each member station communicates with the network through at 
least one cluster head station. Each cluster head station 
communicates with zero or more cluster head stations. The mobile 
station includes a transceiver that transmits signals to and 
receives signals from mobile stations in the network. A network 
computer is linked with the mobile communications station. The 
mobile communications station includes a memory having network 
information stored thereon. The mobile station also includes a 
processor which (i) operates the mobile station as a cluster head 
or cluster member station; (ii) evaluates an excising signal 
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received from the network computer, the excising signal 
containing information regarding a first cluster head or cluster 
member station to be excised from the network; (iii) verifies the 
authenticity of the excising signal; (iv) excises the first 
cluster head or cluster member station when the excising signal 
is authentic; and (v) distributes the excising signal to at least 
a second cluster head or cluster member station. 

In still another embodiment, a method of operating a network is 
provided. The method is employed in a communications system for 
communications in the network among a plurality of wireless 
routers. At least one control computer is linked to a first 
router of the plurality of routers. Each of the routers includes 
a transceiver to transmit and receive messages . The method 
includes the steps of: (i) formulating in the control computer an 
excise signal indicating at least a second router to be excised 
from the network, providing a digital signature of the control 
computer with the excise signal and transmitting the excise 
signal to the first router; (ii) verifying the signature on the 
excise signal in the first router, and when the signature is 
valid (a) adding the information identifying the second router to 
information regarding excised routers stored in memory of the 
first router, (b) removing from the first router routing updates 
corresponding to the second router, (c) removing information 
corresponding to the second router from a neighbor table of the 
first router when the second router is listed therein, and (d) 
recomputing a forwarding table in the first router; (iii) 
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redistributing the excise signal to each of the plurality of 
routers, except for the second router; and (iv) determining, in 
each of the plurality of routers when receiving a message from 
another one of the plurality of routers, an identifier for the 
5 router from which the message is received and processing the 

message only when the information regarding excised routers does 
not include the identifier. 

A method of operating a network is provided in still another 
embodiment. The method is used in a communications system for 
10 communications among a plurality of routers in a network. At 
y3 least one computer is linked to a first router of the plurality 
J3 of routers. The method includes steps of: (i) authenticating in 
□ the first router a signal received from the computer, the signal 
J* identifying at least one router to be cut-off from communicating 
$& with the network; (ii) preventing the first router from 
r? communicating with the at least one cut-off router when the 
!il signal is authenticated; and (iii) redistributing the cut-off 
O signal to each of the plurality of routers, except for the at 

least one cut-off router, and preventing each of the remaining 
20 routers from communicating with the at least one cut-off router. 
When a router receives a message from one of the plurality of 
routers, the router determines if the message is from the at 
least one cut-off router, and processes the message only when the 
message is not from the at least one cut-off router. 

25 In yet another embodiment, a method of operating the network is 
provided in a communications system for communications among a 



EXPRESS MAIL NO. EK673490350US PATENT 

DOCKET NO. 00-4010 

plurality of routers in a network. The network has verifiable 
information identifying at least one compromised router. The 
method includes steps of: (i) excising a compromised router from 
the network; (ii) verifying that messages transmitted between 
routers are from non-compromised routers; and (iii) reinstating 
the compromised router when it becomes non- compromised. 

In another embodiment, computer executable code stored on a 
computer readable medium is provided. The code is to operate a 
communications router in a network having a plurality of routers. 
The network has verifiable information identifying at least one 
compromised router. Each of the plurality of routers includes a 
transceiver to transmit and receive messages. The computer 
executable code includes: (i) code to excise a compromised router 
from the network; (ii) code to verify that messages transmitted 
among the plurality of routers are from non -compromised routers; 
and (iii) code to reinstate the compromised router when it 
becomes non-compromised . 

In yet another embodiment, a method of operating a network router 
is provided. The method is used in a communications system for 
communications among a plurality of routers in a network. Each 
of the routers maintains information regarding compromised 
routers in the network. The method includes steps of: (i) 
receiving a message from one of the plurality of routers in the 
network; (ii) determining a router identifier for the router that 
sent the message; (iii) determining whether the information 

regarding compromised routers in the network includes the router 

11 
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identifier; and (iv) disregarding the message when the router is 
listed in the information regarding compromised routers. 

These and other objects, features and advantages will be apparent 
from the following description of the preferred embodiments of 
the present invention. 



12 
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BRIEF DESCRIPTION OF THE DRAWINGS 

The present invention will be more readily understood from a 
detailed description of the preferred embodiments taken in 
5 conjunction with the following figures. 

Figure 1 is a block diagram of a wireless communications router. 

Figure 2a is a diagram of a network configuration in which 
members route messages for one another. 

O Figure 2b is a diagram of a network in which member nodes are 

Up arranged in clusters. 

n Figure 3 is a block diagram illustrating a network configuration, 

J including a network control authority linked to a Router A. 

zf Figure 4 is a flow diagram illustrating an operational aspect of 
Li a network control authority when formulating, digitally signing 
§fc and transmitting an excise router signal. 

Figure 5 is a flow diagram illustrating an operational aspect of 
a router when handling an excise router signal according to a 
first embodiment of the present invention. 

Figure 6 is a flow diagram illustrating an operational aspect of 
20 a packet reception procedure according to a first embodiment of 
the present invention. 

Figure 7 is a flow diagram illustrating an operational aspect of 

13 
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a router when handling an excise router signal according to a 
second embodiment of the present invention. 

Figure 8 is a flow diagram illustrating an operational aspect of 
a packet reception procedure according to a second embodiment of 
the present invention. 

DETAILED DESCRIPTION OF THE 
PREFERRED EMBODIMENTS 

The preferred embodiments will be described with respect to a 

wireless communications router, a Network Control Authority 

(" NCA" ) and to a network formed by at least a plurality of 

similar wireless routers. However, the present invention is not 

limited to only wireless networks, and may be applied to wired 

networks as well. 

Ad-hoc routers are specialized forms of network routers that 
contain one or more interfaces (e.g., radio, infrared, etc.). As 
will be appreciated by those of ordinary skill in the art, ad-hoc 
routers execute specialized routing protocols in order to 
discover other near-by routers, form neighbor relationships with 
those routers, and forward traffic messages through the network. 

A wireless communications router 2 is shown in Figure 1. The 
wireless router 2 preferably includes at least one central 
processing unit (CPU or other electronic processor circuit) 3, a 
memory (or an electronic memory circuit) 4, a power supply 5, a 
transceiver 6 (e.g., a transmitter and a receiver), RAM 7 and/or 
ROM 8. The memory 4, RAM 7 and ROM 8 are each suitable for 

14 
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storing computer executable software, data structures, data 
bases, public and private encryption keys and/ or for storing 
various network routing tables, for example. The transceiver 6 
facilitates the transmission and reception of signals (e.g., RF 
5 and/or infrared signals) in a known manner. 

As will be appreciated by those skilled in the art, the CPU 3 
executes computer executable software in a known manner. As 
such, the CPU 3 controls the operation of the wireless router 2 
and implements the software, methods, procedures and logic of the 
JJ) present invention. The wireless router 2 may include more than 

one transmitter and/or more than one receiver. Of course, the 
•4J wireless router can include other known signal processing and 
O measurement components, data entry devices, routing and protocol 
yy software and modules, as well as other known communication and 
g5 computing components. The wireless router 2 can also include an 
m Ethernet interface, as well as other interfacing ports. With 
g these arrangements, the wireless router 2 is able to communicate 
with other wireless routers in a network. As will be appreciated 
by those of ordinary skill in the art, other known routing 
20 architectures may also be used. The router 2 could also be 

connected to a separate "host" computer in the network. As such, 
a network of routers could then be configured to carry traffic 
between such host computers . 

Figure 3 illustrates a network 120 having a plurality of ad-hoc 
25 Routers (A, B, C, D, E and F) and a Network Control Authority 

( w NCA" ) . The Routers are in communication with one another as 

15 
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shown in Figure 3. For example, Router A has a communications 
link with Routers B and D, and Router E is linked to the network 
through Router D. The NCA is preferably a conventional computer 
that acts as an authorized control workstation for network 12 0. 
5 For example, the NCA may include a conventional processor, 

memory, RAM, ROM, bus structure, monitor, Ethernet ports, modem, 
interfacing ports, transceiver, operational and task specific 
software, etc. The NCA may also include known data entry devices 
such as a keyboard, mouse, light pen, touch-sensitive screen, 
10 scanner, serial/parallel/USB ports, etc. Of course, the NCA may 
contain other known communication and computing components . The 

'i H 

4j NCA issues instructions or messages to the network, such as 

y] initial configurations, default settings, commands, etc. The NCA 

O also monitors the network to detect failures, unusual activity, 

^L5 loss of network connectivity, and so forth. An NCA may also be 

gt used to control the network, e.g., by excising compromised 

ffl routers, adjusting the settings for interfaces, loading new 

m software images, and so forth. 

A network may also include multiple NCAs . A communications link 
20 preferably attaches each NCA to at least one router in the 

network. For example, as shown in Figure 3, the NCA is linked 
with Router A. A link may be a radio link, infrared, physical 
wires such as Ethernets, complex network links such as the 
Internet, etc. Thus an NCA may be either directly attached to 
25 the wireless network, or may be located remote from the network. 
However, an NCA is able to send messages to at least one router 

16 
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Each NCA is preferably provided with a means (e.g., software) of 
digitally signing control messages that it sends to routers, so 
that the routers can authenticate and/or verify that a given 
5 message originated from the NCA that signed the message. As will 
be appreciated by those of ordinary skill in the arts, there are 
many known techniques for encrypting/decrypting and signing 
messages. For example, an encryption and signing method using 
" public keys" is well known in the communications and 
.10 cryptography arts. As will be appreciated, a public key 
~f methodology generally relies on a pair of corresponding keys, 
]M e.g., a public and private key. A public key is generally made 
O available to the public, while a private key is kept secret. A 
y9 message that is encrypted by a public key can only be decrypted 
Cgs with the corresponding private key. To w sign" a message, a 
La sender can encrypt using a private key. The w signature" is 
f4 authenticated if the corresponding public key decrypts the 
message. 

As will also be appreciated by one of ordinary skill in the art, 
2 0 another known technique for signing documents via public key 

cryptography involves a sender computing a one-way cryptographic 
" hash" of the document text, encrypting the hash with the 
sender's private key, and then sending both the original document 
and the encrypted hash to the recipient. The recipient then 
25 produces its own hash of the document text, decrypts the sender's 
attached hash via the sender's public key, and checks to see 
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whether both hashes match. If the hashes match, the document has 
been properly signed and is authentic. Further reference 
regarding these types of techniques may be had to w Applied 
Cryptography, Second Edition: Protocols, Algorithms, and Source 
5 Code in C" by Bruce Schneier, John Wiley & Sons, Inc. (1996), 
including Chapters 2-4, 8 and 18-23. 

By way of example, each NCA could publish its public key(s) to 
the network routers. Then, an NCA could encrypt messages for the 
network routers using a private key. A router can authenticate a 
10 signature (e.g., verify that the message originated at a specific 
C- NCA) if a public key that corresponds with the encrypting private 
%0 key decrypts the message. Other variations of this public key 
p methodology are well known in the arts. Of course, such 

variations and/or other known digital signature methods may also 
^5 be used with the present invention. 

!Z The present invention provides a mechanism for removing 

^ compromised routers from a network. There are many known methods 
by which an NCA can determine whether a given router has been 
compromised. For example, one preferred method incorporates 

20 firewall functionality in each wireless router. This firewall 
functionality includes templates for various types of traffic 
that are expected to originate from a given router, perhaps along 
with a maximal rate at which such traffic should be generated. 
This embedded firewall functionality then continuously checks to 

25 ensure that the generated traffic falls within the guidelines 

imposed by these templates. If any deviation occurs, the 

18 
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embedded firewall sends a control message to the NCA. The NCA 
may then automatically, and/or with the help of a human operator, 
determine whether the w out of template " traffic appears 
sufficiently suspicious so that the router is probably 
5 compromised. For example, if the router is sending 10 times its 
template for certain types of traffic, this can be taken as a 
sign that the router has been compromised and is being used to 
launch denial of service attacks against other portions of the 
network. 

10 There are many other ways in which an NCA might determine that a 
J3 given router has been compromised. As one example, a person 
%J3 might make a visual inspection and discover that unauthorized 
Q persons are tampering with the router. As another example, a 

router might start to emit routing traffic that is inconsistent 
A5 with reports received from other routers in the network. 

;II The following discussion presumes that an NCA has discovered that 
y a router in a network has been compromised, for example, Router D 
of network 120, as shown in Figure 3. Thus the NCA has 
discovered some reason why Router D can no longer be w trusted, " 
20 and must therefore excise Router D from the network. 

Upon such a discovery, the NCA preferably operates as follows in 
a first embodiment. With reference to Figure 4, the NCA 
formulates a message (SI) containing an instruction "Excise 
Router D" (Sla) . This message may also contain a list of 
25 multiple routers to be excised from the network. The message may 
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also contain other auxiliary information such as the current 
time, a time at which the excision is to be revoked, and so 
forth. The NCA digitally signs the message, using public key 
cryptography or an equivalent, as discussed above (S2). The NCA 
5 then transmits the message to at least one ad-hoc router (S3), 
excluding Router D itself. In the Figure 3 example, the NCA 
transmits the message to Router A. As will be appreciated by 
those of ordinary skill in the art, this transmission is 
preferably sent via a reliable transmission protocol such as 
10 Transmission Control Protocol ( w TCP" ), or any other known 
protocol that provides reliable delivery of a message. 

With reference to Figure 5, Router A preferably operates in the 
following manner when it receives the w Excise Router D" message 
(S10) . Router A inspects the digital signature of the message to 

15 ensure that it is from one of the NCAs (Sll) . Router A can make 
such an inspection via the conventional public key methods 
discussed above, while using a configured list of public keys for 
the authorized NCA's stored in local, non-volatile memory. 
Router A preferably determines whether the signature is valid in 

20 step S12 . If the signature is invalid, Router A sends a message 
to at least one of the NCAs informing the NCA that it has 
received a message with an invalid signature (S13). This message 
can be sent via a known Simple Network Management Protocol (SNMP) 
trap or other convenient protocol. Router A then discards the 

25 invalid message in step S14. When a NCA receives such a message, 
it preferably performs actions, such as: logs the message in a 
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timestamped history file for later inspection; emits an audible 
or visible alarm to alert a human operator; brings up a window 
with relevant technical details on a workstation screen so a 
human operator can determine in detail what is happening; changes 
5 the visual depiction of the network state on a computer display, 
e.g., by turning the icon associated with this router to a color 
such as red; sends messages to other NCAs to inform them of the 
compromise; combinations of these actions; and so forth. 

If, on the other hand, the message is properly signed, Router A 
J.0 preferably performs the following steps. Router A adds a new 
*0 entry for Router D to an w Excision List' 7 that it maintains 
yg (S15) . For example, the list could be a data structure, a 
p database, and so forth, that is stored in memory 4 or RAM 7. 

Router A deletes all routing updates from Router D in a local 
is routing database in step S16. Router A then preferably 
r? determines whether Router D is listed in a Neighbor Table 

database (S17). As will be appreciated by those of ordinary 
W skill in the art, the Neighbor Table database (or other data 

structure) contains information regarding neighbors associated 
20 with a particular router. For example, as shown in Figure 3, 

such a database for Router A could contain information regarding 
Routers B and D. Alternatively, the database may contain 
information regarding many routers, including some that are not 
in current communication with Router A. Router A deletes Router 
25 D from its Neighbor Table database and any other internal routing 
databases (or other data structures) that Router A maintains, if 

21 
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Router D is so listed (S18) . Router A then recomputes its 
forwarding table based on this revised Neighbor Table and routing 
databases (S19) . As will be appreciated, a forwarding table may 
specify an optimal path for each network destination. A reliable 
5 flood operation is then preformed to transmit the excision 
message to all of its non-compromised neighbors (S20) . 
Preferably, the message is retransmitted exactly as it is 
received. 

As will be appreciated by those of ordinary skill in the art, 
10 this reliable flood can be accomplished by using any one of a 

number of known methods. One method w piggy-backs' 7 an excision 
dg message into normal routing protocols, which already are being 
H delivered by a reliable flood mechanism. Another method performs 

a specialized radio-level protocol that repeatedly transmits an 
j45 excision message until it is acknowledged by a given neighbor, 
J\ and to perform this action for each neighbor. Any method that 

provides a reliable flood will work, and will give the overall 
O effect of delivering an excision message to the network. 

Router D will not receive the message, however, since the 
20 excision process (described above) removes Router D from the 

routing databases of its neighbors, thus ensuring that no further 
messages will be sent to Router D. In this regard, once a router 
receives the relayed w Excising Router D" signal it can repeat 
the procedure discussed above with respect to Figure 5. 
25 Alternatively, the receiving router can execute steps similar to 
those discussed in steps S15 through S2 0, for example, verifying 
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the signal through a packet reception operation discussed below. 
Hence, the excision message itself is not sent to Router D. 

As a result, as readily shown in the Figure 3 example, Router E 
will not receive the excision message, since the message would 
5 necessarily have to pass through Router D to get to Router E. 
Thus the present invention may "partition" the network (e.g., 
split the network into two or more unconnected sections) . A 
partition will result only if the excised router (s) is the only 
connection point for that part of the network. However, many ad- 
10 hoc wireless routing protocols will be able to "repair" a 

yg partition, and so a partition will be only temporary in cases 

yg where it can be repaired. 

p Routers may include a unique w partition ID" when transmitting 
7" so-called beacon messages (or routing updates) to facilitate a 
gfs repair of a partitioned network. If a network router can 

" hear" beacons from two or more partitions, it has detected a 
U partitioned network and may decide to heal the network. If the 

node is operating as a router it could begin communicating with 

each of the partitions to heal the network. If the node is not a 
20 router, it could promote itself to operate as a router, if 

possible, and commence communication with each of the partitions. 

Of course, other known methods of healing a partitioned network 

may be used. 

With reference to Figure 6, a router performs the following 
25 packet reception operation to enhance network reliability and 
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security when it receives a message or packet from another router 
in the network (S30) . A router checks to see which network 
router performed the radio transmission that it has just received 
(S31) . For example, a packet will preferably contain a 
5 transmitting node identifier, and the receiving router can 
extract the identifier from the packet. A digital signature 
method, as was discussed above, can also be used to verify which 
router has just sent the packet. The receiving router then 
determines if the transmitting router is listed on its Excision 
10 List (S32) . If the router is listed on the Excision List, the 
O receiving router discards the message or packet (S33) . A router 
fjl is considered compromised if it is listed on the Excision List, 
rp The receiving router treats or processes the message in a 
s «i conventional manner if the router is not listed on the Excision 
75 List (S34) . The fact that a router is not listed on the Excision 
:? List indicates that the router has not been deemed 

w compromised" (e.g., the router is considered w non- 
y compromised 7 ' ) . 

This packet reception method ensures that all communications from 
20 an excised router are ignored. This means that an excised router 
cannot introduce traffic into the network, and thus removes 
problems that can be caused by spurious control traffic, forged 
data traffic, and so forth. 

As a second embodiment, each network router maintains in memory a 
25 list (or other data structure) of " trusted" routers. A trusted 
router is a router that has been pre-planned to be in the network 
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and is at the moment considered u non- compromised. " With this 
implementation, each router preferably communicates with only 
those routers which are listed on the w Trusted Router List," 
and removes a router from a Trusted Router List when told to do 
5 so via a signed message from an NCA. 

An example of this second embodiment will be discussed with 
reference to Figures 7 and 8 . Figures 7 and 8 are flow diagrams 
that include some steps that are identical to those discussed 
above with reference to Figures 5 and 6, respectively. Identical 

XO steps are referenced with the same numbers that are used in 

^ Figures 5 and 6 . 

81 Upon discovering a compromised router, an NCA formulates, 

O digitally signs, and transmits an excision message to a linked 

= router, as discussed above with respect to Figure 4. The 

ms excision message contains information regarding a compromised 

p router (s) to be excised from the network. 

Sja * A router receiving (e.g., a " receiving router" ) an excision 
message preferably inspects and determines the validity of the 
signature as discussed above with respect to steps S10-S12. If 

20 the signature is invalid, the receiving router transmits a 

message to at least one NCA (S13) and then discards the message 
(S14) . If the signature is valid, the receiving router removes 
the compromised router from its w Trusted Router List" (S40) . 
The receiving router then updates and recomputes it internal 

25 databases (and/or other tables and data structures) as discussed 
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above with respect to step S16-S19. The excision message is then 
flooded to all trusted neighbors (S20) . 

With reference to Figure 8, a router performs the following 
packet reception operation in the second embodiment when it 
5 receives a message or packet from another router in the network 
(S30) . A router checks to see which network router performed the 
radio transmission that it has just received (S31) , as discussed 
above. The receiving router then determines if the transmitting 
router is listed on its Trusted Router List (S50) . If the router 

iO is listed on the Trusted Router List, the receiving router treats 
or processes the message in a conventional manner (S51) . The 
receiving router discards or otherwise ignores the packet or 

O message if the router is not listed on the Trusted Router List 

-■ass. 

yp (S52) . A router is considered w compromised" when it is not 
Q£ listed on the Trusted Router List. 

The above described two embodiments provide slightly different 
g advantages. The first embodiment (e.g., maintaining a list of 
excised routers) allows a relatively tt open" network in which 
any correctly implemented network node may freely join the 
20 network without prior planning. The second embodiment (e.g., 
maintaining a list of trusted routers) is a more controlled 
method of planning w closed" networks. A closed network is one 
in which every permissible network node must be explicitly given 
permission to join the network at the time that the network is 
25 planned and configured, and in which no unplanned nodes may join 
a network. In either embodiment, however, compromised nodes may 
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be promptly and effectively excised from the network. 

An NCA can reinstate a compromised router in each of the 
discussed embodiments. This procedure includes an NCA sending an 
"all clear" message that essentially counteracts the effects of 
5 an excision message. The w all clear" message can be formulated 
and transmitted under a procedure similar to the one shown in 
Figure 4. This w all clear" message indicates that the given 
router ; or routers, should be removed from each network router's 
Excision List, or added to their Trusted Router List. A router 
JLO that receives an " all-clear" message from an NCA can inspect 
the message to ensure that it contains a valid signature, as 
described above. If the signature is valid, the router can 
O update its Excision (or Trusted Router) List and perform a 
%n reliable flood operation. The router will then accept network 
nj§5 updates and/or messages from the reinstated router. If the 

signature is not valid, the router can inform the NCA of such, 
and disregard the message, as was described above with respect to 
^ Figures 5 and 7. Once reinstated, the network can provide 

updates to the reinstated router, such as updated Excision or 
20 Trusted Router Lists. 

The individual components shown in outline or designated by 
blocks in the figures are all well known in the communication 
arts, and their specific construction and operation are not 
critical to the operation or best mode for carrying out the 
25 invention . 
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While the present invention has been described with respect to 
what is presently considered to be the preferred embodiments, it 
is to be understood that the invention is not limited to the 
disclosed embodiments. To the contrary, the invention is 
5 intended to cover various modifications and equivalent 

arrangements included within the spirit and scope of the appended 
claims. The scope of the following claims is to be accorded the 
broadest interpretation so as to encompass all such modifications 
and equivalent structures and functions. 

j.0 For example, the concepts of the present invention may also be 

tfl used in wired networks and/or networks that are not ad-hoc. For 

%n instance, an Internet provider could use such technology as part 

p of the protection of its main backbone network. 

~ Although this present invention has obvious military utility, it 

5Es also has a wide applicability in the commercial world as well, 

JIT even though, at present, wired network routers are usually placed 

y in locked cabinets to protect them from the sorts of w attacks'' 

CUi 

described above. Accordingly, real " enemies" would not likely 
carry out these attacks, but more likely, the attacks would be 

20 carried out by tt hackers" or even well meaning, but misguided 
persons. As routers are placed outdoors in a wide variety of 
locations the chances for mischief or bungling increase. This is 
likely to be a common scenario for a new generation of wireless 
metropolitan area networks, and so the present invention could 

25 play a role in protecting such networks, as well as military 
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networks . 

Also, as an alternative operational aspect, a router could be 
" temporarily" excised. Then after a specified time, the 
routers in the network would automatically reinstate the 
5 compromised router, without any prompting from an NCA. 

Furthermore, as will be appreciated by those of ordinary skill in 
the art, the methods, procedures, lists, data structures, and 
logic as described herein, can be readily embodied in a 
programmable computer or in computer executable software using 
Qo known programming techniques. The software can be stored on a 
111 computer readable medium, for example, on a floppy disk, RAM, 
m ROM, a hard disk, removable media, flash memory, memory sticks, 
Q optical mediums, magneto-optical mediums, CD-ROMs, etc. 

g Of course, in addition to excising and/or reinstating cluster 

3^5 heads in a network configuration as shown in Figure 2b, cluster 

Jt: members may also be excised and/or reinstated according to the 

w procedures discussed above. 

As will also be appreciated by those of ordinary skill in the 
art, the specific network configurations shown in Figures 2a, 2b 

20 and 3 in no way limit the scope of the present invention. Other 
possible configurations may include a different number of total 
routers or nodes, a different NCA connection (s) , a different 
compromised router(s), different connectivity arrangements, a 
different number of cluster heads, cluster members and/or 

25 affiliation connections, multiple cluster-member to cluster head 
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affiliations, cluster-member to cluster-member messaging, and so 
forth. 
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WHAT IS CLAIMED : 

1. A communications router for use in a communications 
network including a plurality of routers, at least one network 
control computer communicating with said communications router, 
said communications router including a transceiver to transmit 
and receive messages, said communications router comprising: 

an electronic memory circuit having network information 
stored therein; and 

an electronic processor circuit which (i) evaluates an 
excising signal received from the network control computer, the 
excising signal containing information regarding a first router 
of the plurality of routers to be excised from the network; (ii) 
determines an authenticity of the excising signal; (iii) excises 
the first router when the excising signal is authenticated; and 
(iv) reroutes the excising signal to at least a second router of 
the plurality of routers when the excising signal is 
authenticated . 

2. A communications router according to Claim 1, 
wherein said electronic processor circuit excises the first 
router by (a) adding the first router to information regarding 
routers stored in said electronic memory circuit, (b) removing 
from said electronic memory circuit routing updates corresponding 
to the first router, (c) removing the first router from a 
neighbor table stored in said electronic memory circuit when the 
first router is listed therein, and (d) recomputing a forwarding 
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table to direct future routing. 

3. A communications router according to Claim 2, 
wherein said electronic processor circuit further causes a 
message to be transmitted to the network control computer and to 
disregard the excising signal each when the excising signal is 
not authentic. 

4 . A communications router according to Claim 3 , 
wherein said electronic processor circuit further: (i) evaluates 
a signal received through the transceiver from another network 
router; (ii) identifies which network router the signal has been 
received from; (iii) determines if the network router is listed 
with the information regarding excised routers; (iv) discards the 
signal when the router is listed; and (v) processes the signal 
when the router is not listed. 

5. A communications router according to Claim 1, 
wherein said electronic processor circuit determines the 
authenticity of the excising signal using a public encryption 
key. 

6. A communications router according to Claim 1, 
wherein said electronic processor reinstates the first station 
when said communications router receives and verifies a reinstate 
message from the network control computer. 

7. In a communications system for communications among 
a plurality of routers in a network, at least one network control 
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computer being linked to a first router of the plurality of 
routers, each of the communications routers including a 
transceiver to transmit and receive messages, a method of 
operating the first router comprising the steps of: 

evaluating an excising signal received from the network 
control computer, the excising signal containing information 
regarding a second router of the plurality of routers to be 
excised from the network; 

determining an authenticity of the excising signal; 

excising the second router when the excising signal is 
authentic ; and 

rerouting the excising signal to at least a third 
router of the plurality of routers. 

8. A method according to Claim 7, wherein said 
excising step comprises (a) adding the second router to 
information regarding routers stored in a memory, (b) removing 
from the communications router routing updates corresponding to 
the second router, (c) removing the second router from a neighbor 
table of the communications router when the second router is 
listed therein, and (d) recomputing a forwarding table. 

9. A method according to Claim 8, further comprising 
steps of transmitting a message to the network control computer 
and disregarding the excising signal when the excising signal is 
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not authentic . 

10. A method according to Claim 8, further comprising 
the steps of: 

evaluating a signal received through the transceiver 
5 from another network router; 

identifying which network router a signal has just been 
received f rom; 

determining if the network router is identified by the 
«f information regarding excised routers; 

-Jlo discarding the signal when the router is listed; and 

D processing the signal when the router is not listed. 

s 11. A method according to Claim 7, further comprising 

m the steps of: 

^ evaluating a signal received through the transceiver 

■T*5 from another network router; 

identifying which network router the signal has just 
been received from; 

determining if the network router is identified by 
information regarding non-compromised routers stored in a memory; 

20 discarding the signal when the router is not listed; 

and 
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processing the signal when the router is listed. 

12. A method according to Claim 7, wherein said 
excising step comprises (a) removing the second router from 
information regarding non-compromised routers stored in a memory, 
(b) removing from the communications router routing updates 
corresponding to the second router, (c) removing the second 
router from a neighbor table of the communications router when 
the second router is listed therein, and (d) recomputing a 
forwarding table . 

13. A method according to Claim 12, further comprising 
steps of transmitting a message to the network control computer, 
and disregarding the excising signal when the excising signal is 
not authenticated . 

14. A method according to Claim 7, wherein the 
excising signal is authenticated using a public encryption key. 

15. A communications router according to Claim 7, 
further comprising the step of reinstating the second station 
when the communications router receives and verifies a reinstate 
message from the network control computer. 

16. A mobile communications station which communicates 
among a plurality of mobile stations in an ad-hoc network in 
which stations are arranged in clusters of communication member 
stations, with one member station in each cluster being a head 
station for the cluster, each member station communicating with 
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the network through at least one cluster head station, a cluster 
head station communicating with zero or more cluster head 
stations, the mobile station including a transceiver which 
transmits signals to and receives signals from mobile stations in 
the network, a network computer being linked with said mobile 
communications station, said mobile communications station 
comprising : 

a memory having network information stored thereon; and 

a processor which (i) operates said mobile station as a 
cluster head or cluster member station; (ii) evaluates an 
excising signal received from the network control computer, the 
excising signal containing information regarding a first cluster 
head or cluster member station to be excised from the network; 
(iii) verifies the authenticity of the excising signal; (iv) 
excises the first cluster head or cluster member station when the 
excising signal is authentic; and (v) distributes the excising 
signal to at least a second cluster head or cluster member 
station . 

17 . In a communications system for communications in a 
network among a plurality of wireless routers, at least one 
control computer being linked to a first router of the plurality 
of routers, each of the routers including a transceiver to 
transmit and receive messages, a method of operating the network 
comprising the steps of: 

formulating in the control computer an excise signal 
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indicating at least a second router to be excised from the 
network, providing a digital signature of the control computer on 
the excise signal and transmitting the excise signal to the first 
router; 

verifying the signature on the excise signal in the 
first router, and when the signature is valid (a) adding the 
information identifying the second router to information 
regarding excised routers stored in memory of the first router, 
(b) removing from the first router routing updates corresponding 
to the second router, (c) removing information corresponding to 
the second router from a neighbor table of the first router when 
the second router is listed therein, and (d) recomputing a 
forwarding table in the first router; 

redistributing the excise signal to each of the 

plurality of routers, except for the second router; and 

determining, in each of the plurality of routers when 
receiving a message from another one of the plurality of routers, 
an identifier for the router from which the message is received 
and processing the message only when the information regarding 
excised routers does not include the identifier. 

18. The method according to Claim 17, further 
comprising steps of transmitting a message to the control 
computer from the first router and causing the first router to 
disregard the excise signal each when the excise signal is not 
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authentic . 

19. A method according to Claim 18, wherein the 
digital signature is validated using a public encryption key. 

20. A method according to Claim 19, further comprising 
the step of reinstating the excised second router. 

21. A method according to Claim 20, wherein a router 
disregards the message when the information regarding excised 
routers includes the identifier. 

22 . In a communications system for communications in a 
network among a plurality of wireless routers, at least one 
control computer being linked to a first router of the plurality 
of routers, each of the routers including a transceiver to 
transmit and receive messages, a method of operating the network 
comprising the steps of: 

formulating in the control computer an excise signal 
indicating at least a second router to be excised from the 
network, providing a digital signature of the control computer on 
the excise signal and transmitting the excise signal to the first 
router; 

verifying the signature on the excise signal in the 
first router, and when the signature is valid removing the 
information identifying the second router from information 
regarding non-compromised routers stored in memory of the first 
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router; 

redistributing the excise signal to each of the 
plurality of routers, except for the second router; and 

determining, in each of the plurality of routers when 
receiving a message from another one of the plurality of routers, 
an identifier for the router from which the message is received 
from and processing the message only when the information 
regarding non-compromised routers includes the identifier. 

23. The method according to Claim 22, further 
comprising steps of transmitting a message to the control 
computer from the first router and causing the first router to 
disregard the excise signal each when the excise signal is not 
authentic . 

24. A communications router for use in a 
communications network, the network including a plurality of 
routers, at least one network control computer communicating with 
said communications router, said communications router including 
a transceiver to transmit and receive messages, said 
communications router comprising: 

means for storing network information; 

means for evaluating an excising signal received from 
the network control computer, the excising signal containing 
information regarding a first router of the plurality of routers 
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to be excised from the network; 

means for authenticating the excising signal; 

means for excising the first router when the excising 
signal is authentic; and 

means for rerouting the excising signal to at least a 
second router of the plurality of routers . 

25. In a communications system for communications 
among a plurality of routers in a network, at least one computer 
being linked to a first router of the plurality of routers, a 
method of operating the network comprising the steps of: 

authenticating in the first router a signal received 
from the control computer, the signal identifying at least one 
router to be cut-off from communicating with the network; 

preventing the first router from communicating with the 
at least one cut-off router when the signal is authenticated; 

redistributing the cut-off signal to each of the 
plurality of routers, except for the at least one cut-off router, 
and preventing each of the remaining routers from communicating 
with the at least one cut-off router, 

w herein when a router receives a message from one of 

the plurality of routers, the router determines if the message is 

from the at least one cut-off router, and processes the message 

only when the message is not from the at least one cut-off 
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router . 

26. In a communications system for communication among 
a plurality of routers in a network, at least one computer being 
linked to a first router of the plurality of routers, a method of 
operating the network comprising the steps of: 

authenticating in the first router a signal received 
from the control computer, the signal identifying at least one 
router to be cut-off from communicating with the network; 

preventing the first router from communicating with the 
at least one cut-off router when the signal is authenticated; 

redistributing the cut-off signal to each of the 
plurality of routers, except for the at least one cut-off router, 
and preventing each of the remaining routers from communicating 
with the at least one cut-off router, 

wherein when a router receives a message from one of 
the plurality of routers, the router determines if the message is 
from a router other than the at least one cut-off router, and 
processes the message only when the message is from a router 
other than the at least one cut-off router. 

27. In a communications system for communications 
among a plurality of routers in a network having verifiable 
information identifying at least one compromised router, a method 
of operating the network comprising the steps of: 
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excising a compromised router from the network; and 

determining whether messages transmitted between the 
plurality of routers are from the compromised router. 

28. The method according to Claim 27, further 
comprising a step of reinstating the compromised router when it 
becomes non- compromised . 

29. The method according to Claim 27, wherein the 
plurality of routers are prevented from communicating with the 
compromised router. 

30. The method according to Claim 29, wherein said 
determining step comprises consulting a data structure 
representing excised routers to determine if the router is non- 
compromised. 

31. The method according to Claim 29, wherein said 
determining step comprises consulting a data structure 
representing trusted routers to determine if the router is non- 
compromised. 

32. Computer executable code stored on a computer 
readable medium, the code to operate a communications router in 
network having a plurality of routers, at least one computer 
being linked to the communications router, each of the plurality 
of routers including a transceiver to transmit and receive 
messages, said computer executable code comprising: 
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code to excise a compromised router from the network; 

code to verify that messages transmitted among the 
plurality of routers are from non-compromised routers; and 

code to reinstate the compromised router when it 
becomes non-compromised. 

33. In a communications system for communications 
among a plurality of routers in a network, each of the routers 
maintaining information regarding compromised routers in the 
network, a method of operating a network router comprising the 
steps of: 

receiving a message from one of the plurality of 
routers in the network; 

determining a router identifier for the router that 
just transmitted the message; 

determining whether the information regarding 
compromised routers in the network includes the router 
ident i f i er ; and 

disregarding the message when the router is listed in 
the information regarding compromised routers. 

34. In a communications system for communications 
among a plurality of routers in a network, each of the routers 
maintaining information regarding non-compromised routers in the 

network, a method of operating a network router comprising the 
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steps of: 



receiving a message from one of the plurality of 



routers in the network ; 



determining a router identifier for the router that 



5 just transmitted the message ; 



determining whether the information regarding non- 



compromised routers in the network includes the router 
identifier; and 

*2 disregarding the message when the router is not listed 

in the information regarding non-compromised routers. 

O 35. A method of excising a compromised router from an 

=0 ad-hoc network, the network including a plurality of routers, at 
p least one network control computer communicates with at least one 



of the plurality of routers, said method comprising the steps of: 



routers in the network; 

excising the compromised router from the network; and 

preventing the plurality of routers from communicating 
with the compromised router. 



3-5 



determining a compromised router of the plurality of 



20 



36. 



The method according to Claim 35, wherein said 



determining step comprises determining a compromised router 



through embedded firewall functionality provided in each of the 
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ABSTRACT 

A method of operating a network (120) is provided in a 
communications system for communications among a plurality of 
routers in the network. The network receives verifiable 
information identifying at least one compromised router (D) . The 
method includes a step to excise the compromised router (D) from 
the network. The method also includes steps to verify that 
messages transmitted between routers (A, B, C, D, E and F) are 
from non- compromised routers (A, B, C, E and F) , and to reinstate 
the compromised router (D) when it becomes non-compromised. 
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